Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Run Applications - Mdelk.exe & Bagel Worm


  • This topic is locked This topic is locked
8 replies to this topic

#1 rtb1314

rtb1314

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 19 February 2008 - 12:16 AM

Hi,

My apologies for being back here so soon.

I am currently down to spysweeper only - bitdefender support tried to upgrade my AV to 2008 after I had initial suspicions when I couldn't run AV and now its spread to other applications etc.

I cannot get into safemode and have read that going the msconfig route might prove terminal.

I have also seen a lot of doom and gloom about mdelk - I've only had this in system for about 48hrs now and I think my info is safe due to the fact I haven;t done anything sensitive online for nearly 2 weeks

I'd love to get you guys a log etc. but I'm not sure how.
I downloaded some software which scanned clean and whamo...

I sent some files to Bitdefender last nite but its in an archive form which is too big to upload - I'm sure there will be some clues in there - I have them if you need 'em or know which parts to extract.

Meantime waiting for some help....and holding steady.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 PM

Posted 19 February 2008 - 01:01 PM

This infection normally involves other malicious files which need to be identified. I have even seen it with a rootkit. Removal will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

If HijackThis will not run, try renaming it. Open the HijackThis Folder, right-click on the HijackThis.exe file and rename it Scanner.exe. Double-click on Scanner.exe (which is still HijackThis) and then run your scan. If needed, change the .exe to something else such as .bat, .com, .pif, or .scr. Example: Scanner.bat or Scanner.com

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If you are unable to run .exe, .bat, .com files, please let us know and we can try some other options that may temporarily fix your associations.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 rtb1314

rtb1314
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 19 February 2008 - 06:23 PM

"If you are unable to run .exe, .bat, .com files, please let us know and we can try some other options that may temporarily fix your associations."

-I believe that this is the case however I will try to get a HJT log but in the meantime is there a fix for the associations or is that part of the infection?

Any help you can provide in running executables would be great.

I'll be working thorugh the step by step guide tonite but I'm afraid I'll not be able to run some of the programs.

I received a response from Bitdefender but I further explained to them what was going on and suggested they rethink their attack because they were asking me to uninstall the one thing that is probably keeping my computer operational - spysweeper - correct me if I'm wrong.

They also suspected one executable process was giving me grief - based on what I've read I beleive that this malware is a lot of smoking guns and mirrors.

I intend to follow the advice given here and watch with interest the bitdefender response - I think i'll be switching back to Norton or is McAffee any good these days - it was always my perception that Norton was more windows friendly.

THANKS FOR THE HELP.

L.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 PM

Posted 19 February 2008 - 08:13 PM

Yes, some types of malware infections will mess with your file associations. Since your having trouble with getting programs to work, skip the other steps in the guide and go straight to downloading HJT and creating a log. As I said, change the extension type in order to get it to work if the .exe fails to do anything.

There are several suggested fixes in these links:
"Unable to Start a Program with an .exe File Extension"
"Broken EXE Association Fix"
"Fix or Restore Broken .EXE .LNK .COM Association Caused by Virus"
Note: Some of these steps involve making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. Improper changes to the registry could adversely affect your computer and render it inoperable.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 rtb1314

rtb1314
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 21 February 2008 - 10:13 AM

I cannot seem to get HJT to run - I've tried all of the exe association fixes but whatever I'm up against seems to be one step ahead.

I tried renaming but whenever I associate the file type with an application it seems to get blocked.

I even tried running from a command prompt using my very rusty dos command knowledge - no dice.

I have been able to get my data off the computer in likely event that this is terminal but I'm not ready to give up that easily.

Please advise as to how to get an HJT log out of this thing.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 PM

Posted 21 February 2008 - 10:26 AM

There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different tools to do the job. Even then, with some types of malware infections, the task can be arduous. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. In those cases, recovery is not possible and the only option is to reformat/reinstall the OS.

I tried renaming but whenever I associate the file type with an application

Did you just try renaming HijackThis.exe to Scanner.bat, Scanner.scr or Scanner.com by right-click on it?

If you can still run Spysweeper, then some of your .exe's appear to be working. If that's the case we may be able to create a log with another program. I having provided instructions for two of them.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

What DSS will do:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically runs HijackThis, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed.
Note: You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
Note:
* When running System Scanner, some firewalls may warn that it is trying to access the internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
* If you get a warning from your anti-virus when scanning with DDS, please allow it as the scan is not harmful.


If DSS does not work, download and install WinPatrol.
  • During installation, it will create "Scotty the dog" icon in your system tray.
  • Right click on the icon and choose Options.
  • Under the Options tab click on Hijack Log.
  • WinPatrol will scan your system and create a hijackthis log for you.
  • When the scan is complete, notepad will open with a file named HijackPatrol.log
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum.
  • Exit WinPatrol when done.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 rtb1314

rtb1314
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 21 February 2008 - 12:04 PM

i tried renaming to scanner.exe via cmd window but the program didn't run - same error.

if I rename to .bat etc. do I need to associate .bat etc. to an application via file types etc. or do I just double click to run.

I recall trying that prior to posting on the bleep a few days back and still got the application error.

Do I rename HJT.exe - somethingelse.(anything but exe) and then double click to run?

OR do rename and then associate file type (anything but exe) to application ? - this method appears to not work because the infection is watching the association process/activity.

What really ticked me off was the registry approach appears to do nothing - tried the file merge because I didn't want to type in an error.

I'll try the deckard scan tonite and hopefully get a log posted as I do not have to move anymore data off the system.

As another aside the adware spotted 69 infections but did not show any files to remove at the end of the scan.

stinger also runs but I decided that it would be best to try and get the log first - so stopped its scan - seems like it might be a little out dated now (9/2007)

Upon trying to run any online anti virus scans the system hangs ie. no scanning window pops up etc. - have to end the process.

As an observation it seems like the infection knows which programs and activities to block eg. HJT and combofixer online av etc.

This definitely feels like a big jucy creepy crawly.

Thanks for everything so far.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 PM

Posted 21 February 2008 - 12:13 PM

if I rename to .bat etc. do I need to associate .bat etc. to an application via
file types etc. or do I just double click to run.

No. Its as simple as right-clicking on HijackThis.exe, renaming it as I previously instructed and then double-click to run.

Yes some malware will specifically target certain security tools. Don't worry about your scans right now, just concentrate on getting a log posted.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 PM

Posted 21 February 2008 - 10:51 PM

Since your dealing with some serious issues, I have moved your log to the HijackThis Logs and Malware Removal forum for you as we don't allow them here. Please go here, click on the Options button in the upper right corner of that thread and choose Track this topic. Subscribe to that topic to ensure you are notified when a helper replies.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users